My view is that totp/2FA prevents someone with only your password from logging in.

Having the totp seed inside a password manager doesn't break this goal, so I'm fine with it.

Of course it means if my password manager gets hacked, there's everything to log in inside, but I'm more concerned about services leaking password hashes that get broken, or accidentally getting phished (and giving up a password + totp combo that can only be used once) instead of my password manager being hacked.

I just went round and round with my bank about needing my phone number so they can text me a TOTP. You know, for security. They just can't quite seem to wrap their head around how having the same device running their banking app that also receives the text is not secure when the device is no longer in your possession.

Doesn't the attacker still need to know the password to the banking account, or the master password to the password manager? That'd be the second factor.

Besides being able to unlock the phone in the first place obviously.

I only switched to a device with FaceID recently, so I haven't seen how often false positives are in the wild. I still have devices with ThumbID, and I can get into my tablet with rubber gloves without any issues. As far as just a password, if you're using a password manager also located on the phone... There's also people that just don't enable any of that kind of thing on their apps. So we're still fighting those fights. I'm the type that wishes every single app required authentication though.

If they're texting you it, it's almost certainly not TOTP.

Their words, not mine. I probably should have put it in quotes

Huh, TOTP and HOTP are pretty technical terms, and I generally don't hear them in places meant for general consumers to read (e.g. even Google Authenticator, which does TOTP and HOTP, doesn't say TOTP or HOTP). The general term, OTP is much more common, and is accurate for SMS.

Soooo, now you're arguing with me about what the person on the phone said? Where does that take the conversation?

I'm not trying to argue. I'm just saying that it's strange.

Sounds like one factor auth with 2 passwords

Its called two step verification. Prevents someone from “guessing” the password but doesn’t stop someone who has physical access to the device with the password stored. Same as with e-mail or SMS codes, basically. I don’t think i recall any websites that detect i am using my phone and rely on a true “second factor” aside from enterprise applications where i got a hardware yubi key.

It is called 2 factor or multi-factor authentication. It should be something you know (password) and something you have (device). Storing totp with your password defeats the entire point of it.

> I also don’t understand why password managers are starting to support storing totp.

1Password's had this for many years now. In a perfect world with users who followed the rules perfectly every time, a separate TOTP gadget is clearly better. In this world, a slightly less secure TOTP system that's convenient enough that regular people actually use it is vastly better than a perfect system that gets worked around.

Analogy: NIST says to stop requiring periodic password rotations. In dreamland, users would use their password manager to create a new, ultra-strong, unique password every time. In reality, people tired of the rotation treadmill go from `SecurePassword!202406` to `SecurePassword!202407`.

As a component, a separate TOTP generator is better. As a system, an integrated one is more useful.

I'm 200% in favor of exposing how bad SMS is until companies stop using it and start supporting hardware keys.

It turns out that security at the expense of usability is at the expense of security.